Two New WMF Bugs Found

← Back to Stories (view on slashdot.org)

Posted by Zonk on Tuesday January 10, 2006 @10:53AM from the patch-patch-patch-senora dept.

Resident Egoist writes "Via PCWorld the news that two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues." From the article: "All three flaws concern the way Windows renders images in the Windows Metafile (WMF) format used by some CAD (computer-aided design) applications, but these latest flaws are far less serious than the vulnerability that Microsoft patched last week, according to security experts. That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update."

13 of 127 comments (clear)

Min score:

Reason:

Sort:

"unusual"? by ummit · 2006-01-10 10:58 · Score: 1, Insightful

That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch...
What's so unusual about that? (Seriously, it seems to happen every few months.)
"Hacker" by mysqlrocks · 2006-01-10 10:59 · Score: 4, Insightful

...a hacker has published details of two new flaws that affect the same part of the operating system.

If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".

--
Bradley Holt
1. Re:"Hacker" by Krach42 · 2006-01-10 11:13 · Score: 4, Insightful
  
  If you read the post on the security mailing list it sounds like someone trying to get this vulnerability out in the open so it can be fixed. Unless they mean a "white hat" hacker or a hacker in the real sense of the word but I doubt it. This is one of those words that should be used carefully, especially by "journalists".
  
  This is a good point. A "black hat" hacker does not disclose bugs, but rather keeps them quiet or shares them with select friends, and peers.
  
  A person releasing this information to a security list is either a concerned "citizen", or a security person.
  
  A citizen posting information to a newspaper editorial about lack of security at the courthouse, for instance "I was at the courthouse, and there was a side door that wasn't being watched at all by anyone!" wouldn't get immediately marked as a terrorist.
  
  Why should we automatically mark a person disclosing computer-security information to the public as a whole, as a hacker?
  
  --
  
  I am unamerican, and proud of it!
Re:Those Who Ignore History Are d00m3d to Relive I by UnknowingFool · 2006-01-10 11:09 · Score: 3, Insightful

Unfortunately, these days everyone is accustomed to MS and software in general having bugs. Back when Intel was hit, it wasn't commonly known that sometimes CPUs and hardware do have bugs. People tolerate software bugs because they assume there will be a patch. With hardware, you most likely will need a replacement part.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
All I can say is... by Skiron · 2006-01-10 11:10 · Score: 3, Insightful

... what a fucking mess.
Name the Culprits by Nom+du+Keyboard · 2006-01-10 11:13 · Score: 3, Insightful

Why aren't the programmers that worked on any given buggy module ever named? If you faced public ridicule and loss of reputation for releasing exploitable code you might be more careful about what you certify as ready to ship.

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
1. Re:Name the Culprits by wellybog · 2006-01-10 11:22 · Score: 4, Insightful
  
  Speaking as a professional software developer, I have a manager for exactly this reason - if we f*ck up (for whatever reason, but usually because deadlines mean testing doesn't happen), the project manager gets the blame.
  
  In a perfect world software developers unit test their code, and then testers run through a test plan that was written before development began. Unfortunately we don't live in a perfect world - which is why ideas like "extreme programming" came about.
  
  --
  
  Wellybog
  http://www.wellybog.com
2. Re:Name the Culprits by blahtree · 2006-01-10 13:18 · Score: 4, Insightful
  
  You have obviously never worked in professional software development.
  
  Software is developed by a team. No, not a team of programmers, but a team of people that may include architects, designers, UI designers, programmers, integrators, testers at various levels, management and marketing. This list changes in different environments. Often smaller, but sometimes larger.
  
  When a bug is found, who is responsible? Is it the programmer? Is it the tester that missed the bug? Is this "bug" actually a feature requested by marketing? Is this bug the result of mis-design? Was this bug either ignored or not found because of insufficient time allotted by management?
  
  It's easy to point fingers, but how do you decide who to point them at?
The real question is... by chill · 2006-01-10 11:13 · Score: 4, Insightful

...if Microsoft had had the extra time and not released the patch until they considered it "fully tested", would they have caught these bugs as well?

Knowing that the WMF code is now under the microscope, will they divert resources to specifically re-vet that code, or will they sit on their rear ends and wait until another exploit is found for them?

As a tidbit of information, I have "converted" three of my neighbors to Linux -- at least dual booting, if not whole penguin -- in the last two months. Each time was at their request and for the exact same reason. Their Windows PC regularly gets trashed by spyware, viruses and worms and they've just damn well had enough in having to deal with it all. They want to get their work done, not fight with malware and have to upgrade machines because their old one isn't powerful enough to run their apps AND all the "keep me safe" software.

-Charles

--
Learning HOW to think is more important than learning WHAT to think.
1. Re:The real question is... by chill · 2006-01-10 12:16 · Score: 2, Insightful
  
  So did you talk them into upgrading? I find loading up anything good on an old box is a noticable slowdown :(
  
  I almost always convinced them to install more RAM. Many of the machines were an anemic 128 Mb of RAM. Boosting them to 512 Mb made a big difference, Windows or Linux.
  
  Beyond that, only one person had an old, old machine (350 MHz P-2, 128 Mb RAM Dell Optiplex GX-1) and Slackware 10.2 runs fine on that. It runs absolutely great after I had them upgrade the RAM to 512 Mb. They use it for e-mail, web surfing and IM.
  
  I can't justify telling someone who mostly runs Word, Excel, AIM, Outlook Express and IE (now Firefox) to buy a faster computer. For what a lot of them do, a 750 MHz P3 is blazing.
  
  -Charles
  
  --
  Learning HOW to think is more important than learning WHAT to think.
Re:but wait did the MS apologist not say by RingDev · 2006-01-10 11:20 · Score: 4, Insightful

"8 days should have been enough time for MS to completly check the code involved and use every attack possible."

Yes becuase breaking hundreds of people off their regular duties, tracking down 10 year old code written by someone who either doesn't remember writing it or no longer works there, correcting the code in a way that prevents the exploit, but doesn't impact functionality, testing the correction on all supported versions of windows, numerous hardware configurations, and against dozens of 3rd party software packages that use the library, then documenting the problem, the change, and the disimination of the change, then getting the whole thing wrapped up into a nice neat deployment package, is easy.

Yeah, I can see how 8 days is slacking.

Try reading this article: http://blogs.msdn.com/ericlippert/archive/2003/10/ 28/53298.aspx "How many MS Employees to change a light bulb?"

-Rick

-Rick

--
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Re:but wait did the MS apologist not say by edwdig · 2006-01-10 11:21 · Score: 5, Insightful

8 days should have been enough time for MS to completly check the code involved and use every attack possible. The fact that MS obviously hasn't bothered shows they still don't understand security. OF course hackers are going to try to find new exploits in WMF code since they know MS and that if there is one bug there must be others.

Most of the 8 days wasn't spent checking that the exploit was fixed. I'm sure that part went fairly quickly. The real issue is that although WMF files are fairly rare, the WMF format is used extensively inside Windows. The feature in question is only a security issue when found in arbitrary WMF files, but serves a legit purposes when used inside of applications. The 3rd party fix floating around broke some printer drivers and probably other software, whereas Microsoft's fix resulted in less (if any) broken software. The bulk of the time was spent testing the fix for unexpected consequences.
Re:Uhh, WMF is used by more than just CAD programs by TubeSteak · 2006-01-10 16:07 · Score: 2, Insightful

Crashing. Whoop-dee-doo. Annoying, sure. Hardly a security issue. (And no, the crash hasn't been shown to allow executed code, either.)
Isn't that what they said many many months ago about the previous wmf exploit?

--
[Fuck Beta]
o0t!